What’s Inside An FPGA? Ken Shirriff Has (Again) The Answer

September 21, 2020 by Sven Gregori 13 Comments

FPGAs are somewhat the IPv6 of integrated circuits — they’ve been around longer than you might think, they let you do awesome things that people are intrigued by initially, but they’ve never really broke out of their niches until rather recently. There’s still a bit of a myth and mystery surrounding them, and as with any technology that has grown vastly in complexity over the years, it’s sometimes best to go back to its very beginning in order to understand it. Well, who’d be better at taking an extra close look at a chip than [Ken Shirriff], so in his latest endeavor, he reverse engineered the very first FPGA known to the world: the Xilinx XC2064.

If you ever wished for a breadboard-friendly FPGA, the XC2064 can scratch that itch, although with its modest 64 configurable logic blocks, there isn’t all that much else it can do — certainly not compared to even the smallest and cheapest of its modern successors. And that’s the beauty of this chip as a reverse engineering target, there’s nothing else than the core essence of an FPGA. After introducing the general concepts of FPGAs, [Ken] (who isn’t known to be too shy to decap a chip in order to look inside) continued in known manner with die pictures in order to map the internal components’ schematics to the actual silicon and to make sense of it all. His ultimate goal: to fully understand and dissect the XC2064’s bitstream.

Of course, reverse engineering FPGA bitstreams isn’t new, and with little doubt, building a toolchain based on its results helped to put Lattice on the map in the maker community (which they didn’t seem to value at first, but still soon enough). We probably won’t see the same happening for Xilinx, but who knows what [Ken]’s up to next, and what others will make of this.

It’s A Boat? It’s A Duck? It’s A DIY Plastic Wrap Kayak!

September 14, 2020 by Sven Gregori 19 Comments

Only few cinematic moments were as traumatically heartbreaking as [Mufasa]’s death in The Lion King and [Wilson]’s demise in Cast Away. To think, if only [Tom Hanks]’ character had found a ~~role~~ roll of stretch wrap in the washed up cargo content, he could have built a vessel with enough room to safely store his faithful companion. Sounds unlikely? Well, [sg19point3] begs to differ, and has a kayak to prove it.

It’s as brilliant as its construction materials are simple: tree branches, packing tape, and of course the stretch wrap. [sg19point3] used two different types of branches, one that bends just enough to shape the kayak in its length, and a more flexible variety to form the rings that hold it all together. After removing the bark, he shaped the branches as needed using some pegs in the ground, and let it dry for a few days. Once ready, he put them together and stabilized the construct with packing tape until it was ready for the grand finale of wrapping the entire thing in several layers of plastic wrap. To prove he trusts his own construct, he took it for a ride to the nearest water and lived to tell the tale — and to make a video about it, which is embedded after the break.

Admittedly, putting it together all by yourself on a remote island may be a bit laborious after all, so good thing [sg19point3] had some friends to help with the wrapping. Whether you’d want to take it beyond your local, shallow pond is maybe another story — you’d definitely want to steer clear of sharp rocks. For something more sturdy, check out the 3D-printed kayak from a few years ago. But in case you prefer wood, here’s a beautiful canoe.

Continue reading “It’s A Boat? It’s A Duck? It’s A DIY Plastic Wrap Kayak!” →

Breaking Smartphone NFC Firmware: The Gory Details

August 23, 2020 by Sven Gregori 2 Comments

Near-field Communication (NFC) has been around a while and is used for example in access control, small data exchange, and of course in mobile payment systems. With such sensitive application areas, security is naturally a crucial element of the protocol, and therefore any lower-level access is usually heavily restricted and guarded.

This hardware is especially well-guarded in phones, and rooting your Android device won’t be of much help here. Well, that was of course only until [Christopher Wade] took a deep look into that subject, which he presented in his NFC firmware hacking talk at for this year’s DEF CON.

But before you cry out “duplicate!” in the comments now, [Jonathan Bennett] has indeed mentioned the talk in a recent This Week In Security article, but [Christopher] has since written up the content of his talk in a blog post that we thought deserves some additional attention.

To recap: [Christopher] took a rooted Samsung S6 and searched for vulnerabilities in the NFC chip’s safe firmware update process, in hopes to run a custom firmware image on it. Obviously, this wouldn’t be worth mentioning twice if he hadn’t succeeded, and he goes at serious length into describing how he got there. Picking a brain like his by reading up on the process he went through — from reverse engineering the firmware to actually exploiting a weakness that let him run his own code — is always fascinating and downright fun. And if you’re someone who prefers the code to do the talking, the exploits are on GitHub.

Naturally, [Christopher] disclosed his findings to Samsung, but the exploited vulnerability — and therefore the ability to reproduce this — has of course been out there for a long time already. Sure, you can use a Proxmark device to attack NFC, or the hardware we saw a few DEF CONs back, but a regular-looking phone will certainly raise a lot less suspicion at the checkout counter, and might open whole new possibilities for penetration testers. But then again, sometimes a regular app will be enough, as we’ve seen in this NFC vending machine hack.

Continue reading “Breaking Smartphone NFC Firmware: The Gory Details” →

GTA V Mod Shows (And Cheats) Those Stunt Jump Hoops

August 21, 2020 by Sven Gregori No comments

While the recent announcement of Grand Theft Auto V for the upcoming next-generation game consoles was a disappointment for those fervently waiting for a successor in the infamous video game series, it shows that after almost seven years of its initial release, the epic title is still going strong — and rightfully so. But a game as varied and complex as GTA V isn’t without some quirks, especially if you’re going for 100% completeness.

The stunt jumps seem a particular pesky nut to crack here, so [Anthony Som] made it his mission to shed some light on what qualifies as a successful jump by reverse engineering the system and writing both a mod for displaying the landing zone and a cheat to instant success.

If you’re not familiar with the game, its vast open world map features a variety of side quests, one of them being stunt jumps, where certain locations allow you to launch the vehicle you’re driving into the air in hopes to land on an adjacent road or area — whether to evade the people chasing you, or just for fun. There’s no telling how to actually succeed though, the game just tells you if you did or not afterwards, causing some degree of frustration. As an avid speedrunner (as in finishing a game in the shortest possible time), [Anthony] was looking for a way to increase the success rate for those stunt jumps, and decided to dig into the code to find out how to get there. Of course, being a proprietary game, he had to resort to reverse engineering and utilizing GTA’s vivid modding scene to do so.

His initial outcome was a mod that displays the launch and landing area as rectangles inside the game itself, which was a great help. But well, after already getting that far, [Anthony] figured he might as well continue and add a cheat mode to teleport the car right inside that expected landing area and be done with second-guessing his attempts once and for all.

If you’re curious about modding GTA yourself, his write-up has a few good pointers for that, and of course features some real examples of it. Whether this is a good idea for the self-driving AI that uses GTA as learning environment is probably a different story though.

Exotic Device Gets Linux Support Via Wireshark And Rust

August 20, 2020 by Sven Gregori 10 Comments

What can you do if you have a nice piece of hardware that kinda works out of the box, but doesn’t have support for your operating system to get the full functionality out of it? [Harry Gill] found himself in such a situation with a new all-in-one (AIO) water cooling system. It didn’t technically require any operating system interaction to perform its main task, but things like settings adjustments or reading back statistics were only possible with Windows. He thought it would be nice to have those features in Linux as well, and as the communication is done via USB, figured the obvious solution is to reverse engineer the protocol and simply replicate it.

His first step was to set up a dual boot system (his attempts at running the software in a VM didn’t go very well) which allowed him to capture the USB traffic with Wireshark and USBPcap. Then it would simply be a matter of analyzing the captures and writing some Linux software to make sense of the data. The go-to library for USB tasks would be libusb, which has bindings for plenty of languages, but as an avid Rust user, that choice was never really an issue anyway.

How to actually make use of the captured data was an entirely different story though, and without documentation or much help from the vendor, [Harry] resorted to good old trial and error to find out which byte does what. Eventually he succeeded and was able to get the additional features he wanted supported in Linux — check out the final code in the GitHub repository if you’re curious what this looks like in Rust.

Capturing the USB communication with Wireshark seems generally a great way to port unsupported features to Linux, as we’ve seen earlier with an RGB keyboard and the VGA frame grabber that inspired it. If you want to dig deeper into the subject, [Harry] listed a few resources regarding USB in general, but there’s plenty more to explore with reverse engineering USB.

Get Your SQL Statements Right The First Time With SQL Lint

August 18, 2020 by Sven Gregori 11 Comments

What’s your average success rate of getting a SQL statement right on the first try? In best case, you botched a simple statement without side effects and just have to try again with correct syntax or remove that typo from a table name, but things can easily go wrong fast here. But don’t worry, the days of fixing it on the fly can be over, thanks to [Joe Reynolds] who wrote a linter for SQL.

A linter parses code to tell you where you screwed up. While checking SQL syntax itself is somewhat straightforward, [Joe]’s sql-lint tool will also check the semantics of it by looking up the actual database and performing sanity checks on it. Currently supporting PostgreSQL and MySQL, it can be either run on a single SQL file or a directory of files, or take input directly from the command line. Even better, it also integrates within your editor of choice — assuming it supports external plugins — and the documentation shows how to do that specifically for Vim.

If you can look past the fact that it’s written in TypeScript and consequentially results in a rather large executable (~40 MB), it might serve as an interesting starting point for the language itself, or adds a new perspective on writing this type of analyzer. And if databases aren’t your terrain, how about shell scripts?

Continue reading “Get Your SQL Statements Right The First Time With SQL Lint” →

Something’s Brewing Up In The Woods – And It Looks Stunning

August 17, 2020 by Sven Gregori 9 Comments

Caffeine fuels the hacker, and there are plenty of options to get it into your system, from guzzling energy drinks to chewing instant coffee pellets. But let’s take a nice cup of coffee as input source, which itself can be prepared in many ways using all kinds of techniques. In its simplest form, you won’t need any fancy equipment or even electricity, just heat up some water over a fire and add your ground beans to it. This comes in handy if you’re camping out in the woods or find yourself in a post-apocalyptic world, and in case you still prefer a stylish coffee maker in such a situation — why let an apocalypse ruin having nice things? — you’re in luck, because [Andreas Herz] designed this nifty looking off-the-grid coffee maker.

The design somewhat resembles a certain high-end precision coffee maker that even fictional billionaires approve of, which [Andreas] created in Fusion 360 and is available online. The device base is made from brass, wood, and silicone he cast from a 3D printed mold, while the glass and ceramic parts — i.e. the water tank and coffee pot — are simply store bought. [Andreas] opted for fuel gel as heat source, which burns under a copper coil that acts as heat exchanger and starts the actual brewing process. It took him a few attempts to get it right, and in the end, a coat of black exhaust paint did the trick to get the temperatures high enough.

This may not be the fastest coffee maker, as you will see in the video after the break, but choosing a different fuel source might fix that — [Andreas] just went the safe(r) way by using fuel gel here. But hey, why rush things when you’re camping or having a cozy time in a cabin anyway. Now all you need is the right blend, maybe even your own, made with a camp stove coffee roaster. Of course, in case of an actual apocalypse, you may not have easy access to a CNC router or 3D printer, but then there’s always the option to build an espresso machine from salvaged motorcycle parts.

Continue reading “Something’s Brewing Up In The Woods – And It Looks Stunning” →